Check Point's latest research uncovered a cluster of activities, dubbed Educated Manticore, that strongly resembles those of the Phosphorus threat group. The study unveils an updated infection chain that ultimately results in the deployment of a new variant of PowerLess malware.
Diving into details
Educated Manticore, like many other threat actors, has followed recent trends and begun incorporating ISO images and potentially other archive files into its infection chains. - The actor has substantially upgraded its toolset and is now utilizing sophisticated techniques, including constructing .NET executables as Mixed Mode Assembly. The updated version of the PowerLess implant serves as the final payload.
- The ISO file is used as a channel to present a false document in Arabic, English, and Hebrew.
- The document appears to contain academic information about Iraq from a genuine non-profit organization called the Arab Science and Technology Foundation (ASTF), suggesting that the campaign may have aimed at the research community.
The power of payload
While the new PowerLess payload is similar to its predecessor, its loading mechanisms have been significantly improved, using techniques rarely seen in the wild. - It uses .NET binary files created in mixed mode with assembly code.
- The version is believed to be intended for phishing attacks focused on Iraq, using an ISO file to initiate the infection chain.
- The backdoor can pilfer data from web browsers and applications such as Telegram. Additionally, it can capture screenshots, record audio, and log keystrokes.
- After obtaining a key from the server, PowerLess encodes and encrypts its communication to the server using Base64. To deceive researchers, the threat actor adds three random letters at the start of the encoded blob.
The bottom line
Educated Manticore is constantly evolving and polishing previously-identified toolsets and delivery mechanisms. As an updated version of previously reported malware linked to Phosphorus, researchers surmise that the current variant might only represent the first phase of infection, with a significant portion of post-infection activity yet to be observed in real-world scenarios.